This advisory contains information about the CFTC cyber enforcement action and the FCA's statement on GDPR.
CFTC Cyber Enforcement Action
On February 12, 2018, the Commodity Futures Trading Commission (CFTC) ordered a registered futures commission merchant ("FCM") to pay a $100,000 fine for their alleged failure to supervise their IT provider's implementation of key provisions in their information systems security program (ISSP). The CFTC charged the FCM with failing to supervise critical provisions, including identifying and performing risk assessments of access routes into their network, performing quarterly network risk assessments to identify vulnerabilities, maintaining strict firewall rules, and detecting unauthorized activity on the network.
As a result of the failure, an unaffiliated third party claimed to access and copy 97,000 files from the FCM's network containing customer data, including personally identifiable information, from the FCM's network and alerted federal authorities of the exposure. The vulnerability was allegedly caused by an open access route in a network-attached storage device. Three successive quarterly risk assessments performed by the FCM failed to identify this vulnerability, leaving customer data exposed for 10 months.
For more information, see the CFTC's alert.
ACA Aponix Guidance
ACA Aponix recommends taking the following precautionary measures to avoid breaches and prevent regulatory fines:
- Validate the implementation of your security controls to ensure they are adequate and in line with your WISP, regardless of whether those controls are implemented internally or by a third party;
- Inventory sensitive data; and
- Ensure access to sensitive data is restricted to staff who need it and periodically review access.
How ACA Aponix Can Help
ACA Aponix can help your firm assess its cybersecurity risk and identify vulnerabilities that could lead to a breach. Our services include:
- Penetration Testing and Vulnerability Assessments - Helps identify network vulnerabilities that could be exploited and lead to a breach.
- Risk Assessments - Helps determine if business processes and system or network configurations could expose your business to cyber risks.
- Threat Intelligence (such as monitoring hacker chat forums) - Helps identify potential targeted attacks or an ongoing breach.
- Cyber Incident Response Planning and Table-Top Exercises - Helps develop and validate your firm’s ability to appropriately respond to a potential cyber incident.
- WISP Development Assistance – Helps review and/or develop your Written Information Security Program to ensure adequate policies and controls are in place to protect your network and data.
FCA Statement on GDPR
The Financial Conduct Authority (FCA) indicated in a joint statement with the Information Commissioners Office (ICO) that the European Union's General Data Protection Regulation (GDPR) does not impose requirements that are incompatible with the rules in the FCA Handbook. Although GDPR compliance is being regulated by the ICO, there are a number of requirements that GDPR and FCA share. The FCA will consider GDPR requirements under their rules, including requirements in the Senior Management Arrangements, Systems and Controls (SYSC) module.
How ACA Aponix Can Help
ACA Aponix can assess your organization’s readiness to comply with GDPR requirements. As part of our assessment, we will review your firm’s personal data processing activities to build a data inventory, identify risks and gaps relative to the requirements of GDPR and assist with building a practical action plan to address deficiencies.
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.